Aussies held to ransom by nasty software

Liam Tung

If your computer appears to be taken hostage by local police who demand the payment of a fine to grant you access to your data, would you pay the fee, yank the power cord or recognise a scam and figure out how to neutralise it?

Malicious software that demands payment for the return of access to personal or financial data, known as “ransomware”, has been around in various forms for over a decade, but this year police-themed ransomware has emerged as the scam du jour for online con artists and there is evidence they are ramping up activity in Australia significantly.

The simple con exploits victims' lack of knowledge about online surveillance, enforcement and the law. Victims are told police have detected crimes ranging from copyright infringement to viewing child abuse material and are generally asked to pay a fine of about $100 in the local currency within 72 hours via prepaid services such as UKash, a UK-based voucher payments service.

The first police-themed ransomware arrived in October in Australia, shortly before the Australian Federal Police (AFP) warned that cybercriminals were using its logo in a scam to trick victims into paying a fraudulent $100 fine for “illegal” online activity.

A spokesperson for the Australian Competition and Consumer Commission (ACCC), which operates consumer alert service Scamwatch, told Fairfax that it had received 100 complaints of police ransomware since the Australian-targeted scam first emerged.

Ransomware ... another screengrab.

The number of complaints however is likely to rise significantly in coming months.

According to one malware researcher who goes by the online name Kafeine and has been tracking police ransomware across the world, the number of Australians presented with a fake AFP fine spiked dramatically at the end of October.

Since early October Australian numbers in the operation he’s been tracking have remained below 10 on any given day. But on October 28 that figure jumped over 1600 per cent to 160 and on October 29 it tripled again to 403.

A screengrab of software used by "Kafeine" o keep track of the ransomware.

The ransomware is most likely installed after the victim visited a website rigged with a crime toolkit that looks for weaknesses in popular software, such as the browser, or a media player like Adobe Flash or a PDF viewer.

While the same malware is used to target victims from different countries, it is configured to present a message that bears the name and logo of a local law enforcement authority in order to increase the chances of payment.

Kafeine’s figures are drawn from one operation he has gained access to, offering insight the number of PCs the ransomware is installed on in each country and the number of times the message has been presented to victims.

The two main ransomware scams targeting Australians are Reveton and Urausy, which both purport to be the AFP and can be viewed on Kafeine's “gallery” of the localised presentation pages for the malware.

The majority of would-be victims recognise the scam for what it is, but figures from Britain show that criminals are netting around 3 per cent of victims there.

London's Metropolitan Police revealed in August that of 1100 ransomware reports it received, 36 had paid the fake fine of £100 ($155).

The surge in Australians slugged with ransomware messages are still fewer than in the UK, Turkey, and Spain, but larger than other parts of Europe that have been targeted by ransomware gangs for much longer than Australia.

So what should Australians do if they are presented with an online fine purportedly from the AFP?

“The most important thing is not to pay the cybercriminals,” said Sergey Golovanov, a malware expert at the Russian security company Kaspersky Lab.

“Go to another computer and start searching for a solution, which you will always be able to find on the internet. All anti-virus companies post free instructions and utilities to help users unblock their computers.”

Some threats can be resolved by cleaning up a malware infection. However, there are more brutal ransomware attacks that use cryptographic locks to prevent victims from accessing their data.

One Northern Territory-based small business, TDC Refrigeration and Electrical, was recently hit by attackers who encrypted the company's financial system data and threatened to destroy it unless the business forked out $3000. The business did and lived to tell the tale. However, had it backed up its data it might not have had to pay for it.

“When you are hit by a well-done encrypting ransomware, if you have no backup, there is nothing you can do except paying or losing your data,” Kafeine said.

Other security professionals agree. “Automatic online backup is a must,” said Michael McKinnon, a security adviser for AVG Australia. “There are many choices of backup software that can securely copy important files to the 'cloud', ensuring that if disaster strikes – such as ransomware that may encrypt or even delete some of your files – you'll be protected.”

Liam Tung has covered enterprise and consumer technology and security since 2007 for some of the world's leading technology news websites, including CBS Interactive's ZDNet and CNet, IDG's CSO Magazine and has had several of his stories syndicated to the New York Times.

116 comments

Store as little as possible in the default windows location for your data (my docs etc). You can't completely avoid using these locations since many apps store there, but you can minimise it. At least pre-win8. :)

Commenter

Brave New World

Date and time

November 05, 2012, 11:10AM

All business should be running a virtual machine to host their financial/banking/invoicing software making it nearly impossible for anyone to compromise their system. Running a business system on a computer connected to the internet without a firewall is a breach of the privacy act, Biggest problem with computers is everyone who knows how to turn one on and install software thinks they are an expert and nothing is further from the truth. Most IT professionals admit that computing is so broad nowadays no one knows it all.

Commenter

JHP

Location

Colac

Date and time

November 05, 2012, 2:21PM

Or even simpler, don't use Windows. Linux is much safer and it's free!

Commenter

Meanwhile

Location

in the real world

Date and time

November 05, 2012, 2:38PM

If you fall for this then no words can describe how stupid you are.A fine of "2 to 5 hundred minima wages" ?? Hahahahahaha. Brilliant.

Commenter

Chris

Location

Sydney

Date and time

November 05, 2012, 11:17AM

A lot of fines are now being related to a unit or minimum wage etc. This negates the need to update legislation in line with CPI changes.

Commenter

Charlie.M

Date and time

November 05, 2012, 11:41AM

Charlie M - are they? By whom?

Commenter

Grant

Location

ACT

Date and time

November 05, 2012, 12:17PM

@Charlie M, I think Chris meant that spelling mistakes (and bad grammar) often alerts the more aware user that the whole thing is a scam.

Commenter

Traveller

Date and time

November 05, 2012, 12:31PM

@ Charlie.M: I think you are missing the point - this is funny because of the terrible spelling and grammar!!!!!!!

Commenter

Max

Location

Sydney

Date and time

November 05, 2012, 12:46PM

Luckily for the scammers an awful lot of Australians can't speak or write their own language proficiently...

Commenter

Problem?

Date and time

November 05, 2012, 12:50PM

Charlie M, i think you will find penalty units have existed for an extremely long time to eliminate the need to change legislation. Minimum Wages on the other hand is not real